LastPass Password Manager - Time to move on?

victor2

400ixl said:

flaneurs_lobster said:

Thanks for all comments. I've got six weeks or so before subscription renewal so I think I'll follow @400ixl 's lead and run Bitwarden in parallel on a couple of devices (PC & phone) and see how they compare. It does seem that I'd need the paid-for version of Bitwarden to get the Emergency Access functionality but even then it would still be less than half the price of  LastPass.

Thanks again.

What do you want the emergency access functionality for?

I use LastPass family and find the emergency access quite reassuring. If I fall over dead, my DD can request access to my data. LastPass email me and if I don't respond within a set number of hours, she gets access to my vault.
She doesn't need to know my master password, but gets given access.
I tried it by creating a free LastPass account, saving a few "passwords", then adding that account to our family. Requested access through my real account in the family and after the allotted time elapsed without a reply, I could see the other account's vault. Curious how that could be done when LastPass only store encrypted data, it seems that when you join a family group, all your data is encrypted using the public key for each family member.

We make extensive use of LastPass,and it will be with reluctance if we switch to another cheaper service. I don't even know if anyone offers the same features.

flaneurs_lobster

Olinda99 said:

The usual.technical.sites imply that as long as your master password is complex, not trivial and unique (not used anywhere else) then you will be fine.

I agree, but the tech journalists can only make these judgements based on the information that LastPass are choosing to release.

The fact that they did not realise on day one of discovering the hack that this constituted a serious threat to their customer's data shows that their security infrastructure, audit and deployment methods are suspect.

That, or they did realise and chose not to release this information at once.

flaneurs_lobster

victor2 said:

400ixl said:

What do you want the emergency access functionality for?

I use LastPass family and find the emergency access quite reassuring. If I fall over dead, my DD can request access to my data. LastPass email me and if I don't respond within a set number of hours, she gets access to my vault.
She doesn't need to know my master password, but gets given access.
I tried it by creating a free LastPass account, saving a few "passwords", then adding that account to our family. Requested access through my real account in the family and after the allotted time elapsed without a reply, I could see the other account's vault. Curious how that could be done when LastPass only store encrypted data, it seems that when you join a family group, all your data is encrypted using the public key for each family member.

We make extensive use of LastPass,and it will be with reluctance if we switch to another cheaper service. I don't even know if anyone offers the same features.

Exactly as @victor2 says. In fact, if any users of Bitwarden are using this functionality I'd be grateful for their experience - the free version I intend to try out doesn't include it.

Miser1964

I've just dumped LP in favour of Bitwarden. The revelation that the web-site URLs in the stolen customer vaults were not encrypted was the final straw for me.

My master passphrase was decent (15 chars) but I've been rotating passwords on many sites just to be sure, at the same time as loading the details into Bitwarden.

The fact that Bitwarden free edition also works on mobis is a plus too. 

flaneurs_lobster

Miser1964 said:

I've just dumped LP in favour of Bitwarden. The revelation that the web-site URLs in the stolen customer vaults were not encrypted was the final straw for me.

I hadn't realised this, does this mean that the bad people now have user ids (almost certainly email addresses) and the websites they are used on? Not good.

I'm pretty sure that the passwords I use for the important stuff are strong and unique but that is definitely not true of everything.

Well worth a look at the password security report in LastPass (which, to be fair, is a useful tool) to make sure that only trivial sites have the password set to "password".

victor2

I thought long and hard before entrusting my personal details to a third party. You know current encryption techniques would take computing power way beyond anything around today to quickly break, but the Germans thought enigma was uncrackable until Alan Turing & Co. came along and invented the computer to crack it.

The LastPass news is alarming in one aspect, but could we be jumping out of the frying pan into the fire by switching to somebody like Bitwarden? It costs about the same as LastPass if you want the family sharing feature.

Miser1964

>does this mean that the bad people now have user ids (almost certainly email addresses) and the websites they are used on?<

LP say that the login credentials are encrypted but inexplicably the web-site URLs is held in clear text in the vault. Everything hinges on whether your master password is weak/re-used or difficult to brute force. 

Olinda99

also note that the password (for example) elephantcauliflowerbacongeography is a 4 'character' password when using brute force (dictionary attack) and thus despite being a 34 character password is instantly crackable

Miser1964

>despite being a 34 character password is instantly crackable<

I don't believe that is correct - The logic behind three random words - NCSC.GOV.UK

Swipe

Olinda99 said:

also note that the password (for example) elephantcauliflowerbacongeography is a 4 'character' password when using brute force (dictionary attack) and thus despite being a 34 character password is instantly crackable

Utter nonsense